prehistoric wrote:Meanwhile, there are new vulnerabilities to deal with in WPA2, and
here's why it will take a while to fix them.
The problem in this case is not necessarily that the device itself will immediately be compromised and become part of a botnet, it is that an attacker may be able to read traffic on that channel which discloses information useful in later attacks.
My own rule for years has been that I disable remote access for administration of routers I use, (and change the default password, of course.) Set the device up so that it requires a direct wired connection for administration, even though this is inconvenient. If you use a wireless connection for administration it is possible for someone using the Krack attack to listen to traffic, including the settings and passwords you choose when you change set-up. With remote administration enabled, and the password you set known, an attacker can do just about anything.
Note that every network gateway I've seen supplied by a cable company has a backdoor which allows them to change firmware and settings even if you have remote administration disabled. They are convinced that no one else will be able to use this, (for reasons which escape me.)
Getting firmware updates even for popular home products over a year old may be a problem. Suppose you have, as I do, a home router from Cisco/Linksys.
The Cisco home router business has been sold to Belkin. Even assuming Belkin now has the expertise to fix those problems, how much motivation do they have? I'm sure they would prefer that you buy new equipment.
In that particular case, I'd recommend installing the latest version of DD-WRT or OpenWRT with the patch for WPA/WPA2. The hardware will continue working long after the original commercial developer has lost interest in maintenance programming.
For large numbers of IoT devices you can't even be certain the company responsible for developing the firmware remains in business. This may be true even if the label refers to a stable and reputable company. Rebranding products takes place all the time.
Oh, just one more thing. I'm sure there will be sites offering firmware updates that contain malware to naive consumers.
Pushing either DD-WRT or, especially OpenWRT right now, is not a good idea. DD-WRT is in disarray, has been for the better part of the past 12 months. The releases being put out there are buggy, and bugs are not being addressed even when they are clearly identified. There are still a few good builders there, but unfortunately they've up & left & took their skills with them (along with the skilled posters who used to post stuff). Thus, things are overall not good in the DD-WRT 'official' world.
OpenWRT is in even worse shape. It's best to know that OpenWRT has basically been abandoned, and has been so for over a year now:
https://wiki.openwrt.org/toh/linksys/wrt_ac_series
This is not just true for linksys router owners, but for everyone in general.
Tomato, thankfully, is still going strong, and is still actively being developed. I have yet to try tomato (been wedded to OpenWRT for about a ~decade), but it is increasingly looking like Tomato is going to be the only viable option.
The worst part of this, as you correctly note, is people are going to think they can just update their routers (
like they do their phones and/or MSFT-iOS systems) with the click of a button. That is where all these sites, many of them malware-oriented & backed, offering up too-good-to-be-true quick fixes for the wpa2 mess, will strike. These people falling for this will quickly be toast.
Right now, the best we can advise others to do is two things:
1) to focus on 'patching' their devices (
as jd noted this in the other thread about the wpa2 problem) and, if technically challenged, to do nothing with their routers---except to consider, unfortunately, buying new routers if the one they have doesn't get fixed. That s#cks, but sometimes the possible alternative happening, is way worse than just s#cking.
2) if possible, learn and/or find a friend who can set up a subnet (from your router) and completely separate all wifi and lan traffic in the house. No samba, no sharing, no anything between these devices. Then, educate the house users and instill in them a horror at using any wifi device when thinking of doing anything sensitive on-line. All
sensitive things done online should only be done via 'lan' connections. This is already common practice at many worldwide skunkworks projects and, yes, in case you're wondering, it is also current common practice at many gov't high-secure facilities. Wait for WPA2 to be supplanted, this has already been in the works and now, no longer facing inertia and apathy, will be pushed forward.
Last thing that is going to be a spooky event not "IF", but "WHEN" it happens is what you wrote here:
"...
Note that every network gateway I've seen supplied by a cable [..and insert any worldwide internet provider here..] company has a backdoor which allows them to change firmware and settings even if you have remote administration disabled...."
Most every large ISP/Cable/Internet provider in the world has gone to this mode. It is maddening, but their argument is (which has some validity) is that, yes, it lowers cost for them with no repairmen visiting and/or long phone conversations with customers, but they can push out updates instantly, to all. I've seen this in action, and it works.
But when you ask these same companies what happens IF the hackers gain access to the company's systems, and thus take control of this aspect of being able to access all their customer devices from the so-called "official" backdoor" built into their customer devices, well, the polite way to describe it, after they've mumbled something about hoping the company online-security posture can stop them (
hold on while I uncontrollably laugh for a moment)
...anyway, the proper way to describe their response is
that colour drains away from their face & they fall silent. And these are people that are in the vanguard of the industry doing this, and are knowledgeable as hell, but they know what they are up against.
Stuff, whether we like it or not, is really going to get
interesting over the next several years.